[rb-general] [jvm] How to share rebuilder attestations
Eli Schwartz
eschwartz at archlinux.org
Wed Jan 9 14:51:33 CET 2019
On 1/9/19 2:52 AM, Hervé Boutemy wrote:
> I see the advantages of this scenario
> but I also see 1 key drawback = the buildinfo has to be reproducible, and in
> the case of JVM artifacts in public repositories like Maven Central, this
> could be really problematic since every publisher has his own build platform,
> with his own JDK patch level and own OS (usually one of Windows/Linux/Mac, to
> just limit the diversity but I'm sure it's even more diverse)
> I fear that you can do that because of the strict environment control that a
> Linux distro, but this cannot be the same with the public JVM repos
>
> can you provide me a pointer to an ArchLinux JVM artifact (preferably built
> with Maven...) that I could try to reproduce myself, please?
https://www.archlinux.org/packages/community/any/maven/
This is our maven package -- anything built using maven will be listed
under Required By, which is only 5 packages.
https://www.archlinux.org/packages/community/any/gradle/
Gradle has another 3.
https://www.archlinux.org/packages/extra/any/ant/
Ant has a few more -- about 31.
> yes, using external server to download dependencies is a default behaviour,
> but if someone wants to override to get his own artifact repository instead,
> you can do it with parameters (at least with Maven, but I suppose every build
> tool can)
Is this something that could be packaged and then referenced as a
directory path?
> let's dig into the JVM requirement:
> from experience, bytecode produced by major JVM versions is really different
> (tested with JDK 7, 8, 9, 10 and 11)
> but patch level is not
> since what we record easily is the full JDK version (major version + patch
> level), we mix strong requirement (major version) with something that is not
> that important (patch level) and that we would like to accept variation (I
> already have 5 JDK versions on my computer for 5 major versions, if I need to
> have strict patch level, I'll finish with hundreds, since once again I want to
> rebuild every artifact from Maven Central, that has been built by anybody in
> his own personal environment.
I see the problem, although I wonder, if patchlevel bytecode is stable
then could this be solved by defining a buildinfo that only records the
major version?
Might not be worth the downsides though.
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190109/382cb424/attachment.sig>
More information about the rb-general
mailing list